Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check NSEC RRs when verifying wildcard answer #21

Open
gnarea opened this issue Sep 22, 2022 · 0 comments
Open

Check NSEC RRs when verifying wildcard answer #21

gnarea opened this issue Sep 22, 2022 · 0 comments

Comments

@gnarea
Copy link
Member

gnarea commented Sep 22, 2022

RFC 4035 (Section 3.1.3.3) makes an important point:

If the zone does not contain any RRsets that exactly match <SNAME, SCLASS> but does contain an RRset that matches <SNAME, SCLASS, STYPE> via wildcard name expansion, the name server MUST include the wildcard-expanded answer and the corresponding wildcard-expanded RRSIG RRs in the Answer section and MUST include in the Authority section an NSEC RR and associated RRSIG RR(s) proving that the zone does not contain a closer match for <SNAME, SCLASS>.

See also #17
@gnarea gnarea modified the milestone: Version 1 Sep 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gnarea